The Third Rail: New Stakeholders Tackle Security Threats and Solutions

Transcription

1 SESSION ID: CXO-R03 The Third Rail: New Stakeholders Tackle Security Threats and Solutions Ted Ross Director, Threat Intelligence HP Security

2 Agenda My brief background An example of a successful collaboration Quick review of some basics Stakeholders Next Gen sharing Use cases 2

3 HPSR Threat Intelligence Strategic Human-to-human Field Intelligence Tactical Machine-to-machine Facilitates strategic human-to-human interaction Threat Central Monitor the Underground Profile Threat Actors Human Intel

4 The Power of Collaboration: A View from the Underground

5 The Adversary Collaborates Effectively Experts Marvel At How Cyber thieves Stole $45 Million In Hours, Thieves Took $45 Million in A.T.M. Scheme Bank Hack Global Network Results in of Hackers Steal $45 Million Million From ATMs Stunning $45 Heist The Circuit: Hackers took $45 million in ATM heist

6 Recruiting

7 But they don t trust each other

8 Collaboration

9 Payment Options Escrow, Laundering, Assets

10 Lessons Learned from the Adversary Sharing is social - social rules apply Protect your identity Credibility is key Reuse what others have learned Leverage each others strengths

11 Challenges that We Must Overcome Limited participation Not comfortable sharing (social issues) No time No trust Data is not actionable lacks context and relevance Overly manual not timely

12 The Power Of Collaboration: What are the Good Guys doing?

13 ISACs (Information Sharing & Analysis Centers) Created from Presidential Directive in 1998 (updated in 2003). Public and private sector to create a partnership to share information about threats, vulnerabilities, and events to help protect the critical infrastructure. U.S. Treasury, DHS and other relevant government agencies / entities use ISACs to disseminate critical information. Last count there are 18 different ISACs (i.e. Financial Services, Energy, Water, National Health, Surface Transportation, etc). FS-ISAC (launched in 1999) is the most advanced and leading the way for others In early 2013, FS-ISAC extended their charter to include information sharing for financial services entities world-wide.

14 STIX / TAXII Structured Threat Information expression A Structured Language for Cyber Threat Intelligence Information Source - Trusted Automated exchange of Indicator Information Enabling Cyber Threat Information Exchange Source -

15 STIX Data Model

16 Observable (lowest level)

17 Indicator

18 Incident

19 Evolution 2015 Embedded Human Threats Video Removed for security purposes

20 Evolution Props to Chris Blask (ICS-ISAC) We are here Building the pipes (infrastructure & tools for sharing) Analyze the Data Apply results

21 The Next Phase- Analyze the Data Indicators come from multiple sources, each with a unique view on the threat Collaboration allows us to LINK artifacts Interacting with an intelligent system allows us to determine which threats are important to you RELEVANCE Using the context to score the indicators makes them ACTIONABLE 21

22 Key Stakeholders Privacy Enhanced Forums HP Security Research YOU YOUR SIEM YOUR STIX Threat DB Threat DB Threat DB Private Community Friend STIX Sector Community SIEM Global Community SIEM STIX Portal SIEM

23 Automated Action Influenced by Context Collect Normalize Analyze/Correlate Distribute / ACT ESM Connector Actionable Intel TC Community Open Source API IP address \ Domain File Hash Registry Key URL Add Context Compare & Correlate Match Customer Case Match to Actors, TTPs \ Verticals Targeted Linked Indicators Portal Security Event Manager Feeds Sightings \ Source Reliability Severity SET SCORE RELEVANT Y/N Edge Device Confidence Research Community Feedback

24 Results & Actions First Sighting Second Sighting Vote Down Effect Third Sighting Fourth Sighting Highest Possible Reliability Normal Normal Normal Normal Normal HIGH Severity M M M M M H Confidence M M M M M H Sightings Votes SCORE Monitor Activity Take Action

25 Results & Actions First Sighting Second Sighting Vote Down Effect Third Sighting Fourth Sighting Highest Possible Reliability Normal Normal Normal Normal Normal HIGH Severity M M M M M H Confidence M M M M M H Sightings Votes SCORE Monitor Activity Take Action

26 Results & Actions First Sighting Second Sighting Vote Down Effect Third Sighting Fourth Sighting Highest Possible Reliability Normal Normal Normal Normal Normal HIGH Severity M M M M M H Confidence M M M M M H Sightings Votes SCORE Monitor Activity Take Action

27 Query Depth = 2 3 Observabl e Observabl e Domain IP Address Observabl e

28 Automated APT Actor Recognition Possible distractions/ Easy attack vectors TTP How APT actors are recognized TTP The power of linking Actors (courtesy of CERT-EU) Secondary recognition

29 Use Case: Automated Actions Brute force login Invalid Login Attacker Invalid Login IPS Key Assets

30 Use Case: Automated Actions Current approach Attacker Invalid Login Invalid Login IPS Company A Attacker Attacker Invalid Login Invalid Login IPS Invalid Login Invalid Login IPS Company B Company C

31 Use Case: Automated Actions New approach Attacker Invalid Login Invalid Login IPS Company A LOW SCORE Sharing Community Medium HIGH LOW SCORE Attacker Invalid Login Invalid Login IPS Invalid Login Company B Company C LOW SCORE LOW SCORE HIGH SCORE Company D If score = HIGH, push to IPS Attacker Invalid Login IPS IPS/Firewall

32 Use Case: Proactive Block Lists - RECON Current approach Recon Source IPS Source X Key Assets Attack Source(s)

33 Recon IP Attack IPs Use Case: Proactive Block Lists - RECON with Threat Central Sharing Community IPS Recon Source Source X Key Assets Attack IP List Attack Source(s)

34 Summarizing: Leveraging the Community Zero day Company A NEW EVENT Malwar e variant Company B NEW EVENT Sharing MALWARE ZERO BAD DAY IP Community Malicious IP address Company C NEW EVENT

35 What to Look for in Threat Sharing Systems Automated bi-directional sharing Analysis of the data Actionable derived results Tap into the existing community of security experts Product agnostic sharing is a must

36 How to Apply Within three months, select a collaboration system that produces A- Actionable results B- Indicators that are relevant to you Start collaborating with both human-human and machine-machine using a system that will send indicators automatically as a result of the collaboration. Leverage strategic intelligence (context) to better defend defend with purpose 36

37 Thank You 37